Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Under Armour Reports Massive Breach of 150 Million MyFitnessPal Accounts

Under Armour is getting kudos for disclosing breach within weeks, but concerns remain over an unknown portion of credentials reportedly stored using the weak SHA-1 hashing function.

UPDATE

Fitness apparel firm Under Armour said 150 million users of its MyFitnessPal app are victims in a breach exposing user names, email addresses and hashed passwords.

The company said personal identifiable information such as credit card numbers and social security numbers were not part of the breach. Under Armour purchased MyFitnessPal, a diet, nutrition and exercise tracking website and app, in 2015 for $475 million.

In a statement sent to customers on Friday the company said on March 25, 2018 Under Armour became aware that in February of 2018 “an unauthorized party acquired data associated with MyFitnessPal user accounts.”

“Four days after learning of the issue, the company began notifying the MyFitnessPal community via email and through in-app messaging. The notice contains recommendations for MyFitnessPal users regarding account security steps they can take to help protect their information,” Under Armour said in a statement.

“What Under Armour did different was they came clean about the breach almost immediately. And they are getting a lot of kudos for this,” said George Avetisov, CEO of security firm HYPR. “It should prove that whether there’s regulatory enforcement or not, companies have a duty to their customers and fiduciary responsibility to reveal these breaches as soon as possible.”

By comparison it took LinkedIn four years to discover and disclose its breach of 117 million email and passwords. With Yahoo, it took three years to investigate and disclose a massive data breach of account information tied to 3 billion users. It took Dropbox four years to report details of more than 68 million user accounts that leaked in 2012.

“The affected information included usernames, email addresses, and hashed passwords – the majority with the hashing function called bcrypt used to secure passwords,” according to an email sent to customers signed by Paul Fipps, chief digital officer at Under Armour.

Bcrypt is 19-year-old security algorithm designed for hashing passwords and is based on the Blowfish symmetric block cipher cryptographic algorithm. The algorithm is considered secure and uses technique called Key Stretching, designed to make brute force attacks more difficult.

However, according to noted breach expert Troy Hunt, who runs the data breach repository HaveIBeenPwned.com, some of MyFitnessPal account data was protected by the SHA-1, an older, weaker hashing function.

“This echoes what happened with Dropbox. It had about half their hashes as SHA-1 and half their hashes as Bcrypt,” Hunt said in his weekly video blog. “What a lot of companies do is they have a legacy hashing algorithm approach and time goes by and they say ‘SHA-1 isn’t any good anymore and we should use Bcrypt.'”

He argues the window of time to port millions of SHA-1 protected credentials (as users log on one at a time) to Bcrypt is too long, leaving millions of credentials vulnerable to cracking.

Under Armour declined to say what percentage were stored using SHA-1, only saying it was a minority.

Fipps said customers will be required to change their passwords in the coming days.

“Once we became aware, we quickly took steps to determine the nature and scope of the issue. We are working with leading data security firms to assist in our investigation. We have also notified and are coordinating with law enforcement authorities,” Fipps wrote to MyFitnessPal users.

The MyFitnessPal breach is the largest breach of 2018, so far.

“This is an old story and shows we are still not learning from the last mammoth breach. The fact is, whether it’s passwords or medical data, what these companies are doing is putting all these pieces of data in one place creating a single point of failure,” Avetisov said.

(This article was updated 3/30/2018 at 2 pm ET with a short statement from Under Armour)

Discussion

Actually I was always looking for this kind of software, storing the data locally on my PC. Couldn't find one because.
I was always told that this wouldn't be secure and I'm in danger to lose all my data because of no backup and no secure storage.
Now I confronted with a security breach, so my data is not secure, not lost but even worse public to an unnumbered amount of people.
Many thanks!! Your are in good partnership with a lot of other big players on the market. Isn't this remarkable, every time the same excuses? Do you REALLY deserve Our data?
SORRY, but meanwhile I doubt!

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.